After you identify company assets, the next step is to determine their security level. Depending on the company's requirements, assets may be classified into two or more levels of security. I recommend two levels for organizations with minimal security threats: public and confidential. A three-level security classification scheme can be implemented if security needs are greater: public, confidential, and restricted.

Be wary of having too many security levels; this tends to dilute their importance in the eyes of the user. A large multinational IT vendor used to have five levels of security: public, internal use only, confidential, confidential restricted, and registered confidential. Today, it has cut down to three: public, internal use only, and confidential. Employees were confused about the differences among the secured levels and the procedures associated with each one. Having too many security levels proved expensive in terms of employee education, security facilities, and office practices—the costs were often greater than the potential losses from a security violation.